Computers and other devices, as well as secure facilities, services and financial accounts, often contain proprietary, personal and/or sensitive information, which could be compromised if accessed by unauthorized individuals. Thus such devices, facilities, services and accounts (hereinafter “restricted items”) often incorporate security techniques, such as database access control mechanisms, to prevent unauthorized users from accessing, obtaining, or altering the proprietary, personal and/or sensitive information. Authentication techniques allow users to prove their identity and obtain authorized access to a given restricted item.
In a phishing attack, a user is tricked into providing login credentials and/or sensitive information by an attacker impersonating an authentic website. The reason the attack succeeds is that the user is unable to determine whether the website is authentic or fake. Most existing defenses require the user to discern an authentic from fake website based upon the overall appearance of the website, a specially chosen website authentication image, or verification of the website's digital certification. Appearances may be imitated by the attacker or overlooked by the user.
Website authentication, either in addition to or as an alternative to appearance based defenses against phishing attacks, improves security for both users and the entities that utilize websites in communicating with users.